French sports retail giant Decathlon is the latest major brand to disclose user data through a misconfigured database, leaking over 120 million records, including customer and employee information.
The database was discovered on an unsecured server. It contained information from Decathlon’s European companies. Leaked data includes employee usernames, unencrypted passwords and personally identifiable information including social security numbers and cell phone numbers.
Cybercriminals Could Use Corporate Logins To Spy On Businesses
The positions and workplaces of employees are spread across the database are their own physical home addresses. This could lead to angry ex-employees or angry customers tracking them down and threatening their physical safety and well-being. Decathlon claims that despite the large number of records in the database, only a small percentage are actually users. The unsecured database was discovered on February and the company was notified a few days later. It took action almost immediately and closed public access to the database.
This is not the first time that sensitive data has been leaked through an unprotected server. Among other things, data was exposed from 20 million people and from customers of well known hotel chains. The database would have contained everything that malicious hackers would theoretically need – to gain access to bank accounts. The data could also be used for sophisticated phishing campaigns or identity theft.
This is a real treasure trove for hackers. Because Decathlon database contains practically everything that a malicious hacker would theoretically need to take over accounts and gain access to private and even proprietary information. At the moment it is only certain that data from employees were affected. There is also the possibility that data from Decathlon was stored in the database. The Decathlon team has not checked all of the data records contained in the database.